Flick Fisher on Data Privacy and GDPR at Fieldfisher

Michael Koenig: Hello and welcome to Between Two COOs, where phenomenal chief operating officers come to share their knowledge, advice, and crazy stories. I'm your host, Michael Koenig, and I'm excited to welcome our guest, Flick Fischer, a European privacy specialist and partner in Fieldfisher's top-ranked privacy, security, and information group. Originally from the UK, Flick moved to San Francisco 7 years ago to help establish Fieldfisher's practice in the US. Now, she happily spends her days helping their tech-focused US clients navigate the ever-changing field of European privacy laws and regulations, which means she helps them twist, turn, flip, and shape their privacy compliance so they can confidently do business in Europe and hopefully keep out of trouble. Flick was recognized as a Top 40 Under 40 Data Privacy Lawyer by Global Data Review. Welcome, Flick. Thanks for being here. I'm excited to have you on.

Flick Fisher: Yeah, thanks for having me. Hi, Michael.

Michael Koenig: Well, we have so much to talk about, but firstly, I wanted to have you on to give us a peek into the inner workings of the operations of a law firm. While your partner is— excuse me, while your title is partner, you're also essentially the COO of Fieldfisher's San Francisco practice. And then secondly, I wanted to have a conversation about GDPR. So, to kick it off, how'd you end up in the legal field of privacy and InfoSec and also as the unnamed COO of the San Francisco practice?

Flick Fisher: Well, so yeah, so I came to San Francisco, I think it was 7 or 8 years ago. I was given the opportunity to come and do a year secondment out in California and I leapt at the opportunity, as you can imagine. And it was very much supposed to be a year gig, so I had a return ticket. What I didn't anticipate was I would meet my husband my now husband in the first 6 months of moving to San Francisco, and I would fall madly in love with California, both of them at the same time. So, it became very much about, well, I think I'm going to be staying here. At the time, I worked with another law firm who had brought me out here. And our— so, we have a managing partner of our Silicon Valley office called Mark Webber, and he and I had worked together at that previous firm. And he kind of jumped ship and went across to Phil Fisher and said, do you want to come with me? And I was absolutely delighted at the prospect because I really wanted to stay here and Phil Fisher was like an absolute brand name in privacy. So it was a fantastic opportunity. So I had come out here to do kind of tech transactions work and privacy. It was in the run-up to the GDPR and privacy was just this massive hot topic in the legal world. And there weren't that many people who really genuinely specialized in it back then, or at least it was kind of Privacy used to be part of a bigger practice that you would do. It would be tagged onto technology transactions typically. But there was just this absolute growing need for privacy expertise. And we were at a really interesting inflection point with the law because we had this brand new law that was ripping up the old law that had existed back from the '90s. And so, you know, it was a chance to become, you know, a specialist in an emerging area. So I worked really hard to kind of pivot myself. And so for the past 7 years, I've pretty much exclusively been advising on European privacy matters. And, you know, back in the day I thought, great, this is going to be only a couple of pieces of legislation that you really have to get your head around. And boy, did that change. We've had this absolute explosion in privacy regulation, not just in Europe, but around the world as well, as other countries have started to catch up and copy the GDPR. And it's almost as though it feels like the amount of regulation guidance seems to be changing by the day. So in your description, you kind of described how I have to flip and twist to kind of deliver the advice that we do. And it does feel like being a privacy lawyer is a bit like being an acrobat because you constantly have to be adapting to all the new changes and guidance and everything that's coming out. But it makes it an incredibly interesting space to be operating in.

Michael Koenig: Yeah, I'd imagine that your book of business is perhaps growing faster than you can keep up with. How are you all handling the influx and scaling the practice, you know, I'd imagine that while you're a law firm, you all go through some of the same operational scaling challenges that your clients go through.

Flick Fisher: Absolutely. We are just like our clients, a business. And in many ways, because we've kind of, I guess, to give some further context here. So when I joined the Phil Fisher Silicon Valley office practice, I was actually pretty much employee number 4. And so it felt very much like a startup operation and kind of roll forward to 7 years. And we're now at 13 of us out here. So we've had to scale pretty quickly to try and meet the enormous demand for our work. You know, both Mark and I— so Mark is really our managing partner and I support him in kind of running the office. We've just, you know, developed this fantastic reputation out here for the work that we do. And with that has come a huge volume of work, which we're enormously grateful for. But we've also had this real challenge because, you know, we're European privacy specialists operating recruiting in the US. So it's pretty hard to recruit people who have the necessary expertise. We have all the challenges of trying to get folk over here with the visa challenges, etc. So it's not always the easiest, you know, place to be recruiting European privacy specialists. But we've, we've managed to build a really talented local team that we're extremely proud of. But yeah, it's definitely been, been a big challenge to build out that team given, given that we're not We're kind of operating outside of our normal region.

Michael Koenig: So let me ask, in terms of remote, a lot of companies now that were fighting for the same talent within San Francisco, for instance, are now realizing that they can hire wherever, whether it be in other US cities, whether it be within other countries. And I wonder, is that an a possibility for a law practice within the United States that's doing privacy like Fieldfisher, or do people have to actually physically be located in the United States in order to take on clients and advise them?

Flick Fisher: Yeah, well, so part of our real kind of unique selling point and the reason why we've grown the team out here is that we offer kind of in-time zone European privacy specialists. So we have the biggest team both in the US, but also if you look across all of our offices, we have the biggest team of European privacy specialists, I think, of any of the European law firms, and certainly out in the US, our team is the biggest. And so, you know, we need people who can be here to pick up the phone, to get our meetings in our clients' time zone. So it wouldn't make sense for our office out here to be recruiting people who are in wildly different time zones. So we do want people who can operate out here in the right time zone, but I think we'd be a little bit more flexible about where in the US potentially, but we need them here in the US, otherwise it doesn't make a great deal of sense for this practice. I think like every business, we're now got this kind of challenge of we've come out of a period where everybody has been working remotely and to provide some context, I mean, the legal industry has been traditionally quite archaic in the way that it has kind of accommodated or not accommodated flexible working from home. I'm sure everyone's aware of that kind of law firm image of you've got to be in the office and people are scared to leave. And although I think Phil Fisher is very different, and certainly that's not how we've run the Silicon Valley office, we had been an office where we kind of, people were coming in and that was the traditional way that we worked. And we've had to radically change our model. Everybody has been dispersed and working from home. A lot of people took the opportunity to go and work and travel throughout the US while we were kind of locked down. And we found that it worked, which has kind of disrupted the old model of thinking about how you can run a legal team. But I will say that we've lost, and we now are facing a bit of an issue of how do we kind of bring and nurture some of those junior lawyers who need that more hands-on time, who really benefit from that collaboration and being there in person to kind of chat and bounce ideas off. So, I think there's probably a happy middle ground that we now need to reach between doing some, you know, working from home and some coming into the office, just so we can bring some of that dynamism that comes from, you know, being there to collaborate in person and share ideas and make sure that we're giving the mentoring and teaching and sharing of knowledge to people as they come up.

Michael Koenig: What have you all looked at in terms of that sort of digital remote solution for it, or is this just something that's specific to the legal sector?

Flick Fisher: Yeah, I mean, we've not come up with anything particularly creative as to how to do things remotely. I mean, the way that we kind of run is that we make sure that we've got regular team check-ins. So we have a meeting twice a week. In the beginning of COVID we were actually doing it every day just to get some face time with people, and we realized that was too much for everyone. We didn't quite need to get together every morning for a team huddle. So we have those, you know, those hour meetings on a Monday and a Wednesday to make sure that we're all connecting and sharing ideas and just seeing each other and feeling part of a team. And then as things have opened up a little bit, we've tried to encourage people like, you know, to come for team events or to come to the office when they feel ready to do that. And then as a manager, it's all about just making sure that you're checking in with people, you know, how are they doing? It's great. You know, I have a house where I can work from home with ease, Some people are sharing apartments with people. I mean, the scenarios where people are working from home are very different. In our team, we've got this added dynamic that we're all working away from home. And so some of us hadn't been able to see our family for 2 years because we couldn't travel. So there was all of those dynamics, which meant, you know, it was, you just had to be kind of a little bit more, as remote as you were, kind of keep your arms wrapped around the team and make sure everyone felt like you were checking in and connected with them.

Michael Koenig: Yeah, you definitely have something unique there in that you can't just easily make that trip across the pond.

Flick Fisher: No. And actually we have an incredibly diverse team because we have a Bolivian on the team. We have French people, Spanish people. So it wasn't just about going back to the UK. There was all kinds of other places that people were wanting to go back to. And it really definitely goes to morale when you haven't seen your family for 2 years. So we would try to keep everyone's spirits up and almost provide a home away from home family as much as we could.

Michael Koenig: So you described it as a startup operation in those early days and how you all developed a reputation where it helped build your client base. I mean, it's a very similar type of sales motion, let's say, or business development motion that startup companies would go through. How did you all go about that in terms of the marketing aspect, for instance? And, and I know that if you look at like Cooley, for instance, which is another international law firm, they market the firm like crazy. And just look at the bottom of any Axios newsletter and you'll see a piece of pillar content from them.

Flick Fisher: Yeah, we didn't do that and we didn't often always have a great deal of marketing support with our small team. So it was very very much a hands-on type of marketing approach. I think we've been lucky in that doing a good job has won us lots of work, and that's been our biggest trick, is people like working with us. We've been able to deliver tech-savvy, practical advice, really dig in and understand the market that we operate in, and I think that's served us really well. And of course, I have extensively traveled around the US, done the conferences, you name it. We're constantly pushing out content through our webinars that we do. So there is lots of kind of marketing that we do in that sense. But a lot of how we've sort of expanded here is just word of mouth and also just building off the Phil Fisher brand, which is extremely strong for privacy. So it's kind of grown naturally from that. And of course, Europe has gifted us with lots of these regulatory changes, which has meant that there's been huge demand for privacy lawyers. So it's, you know, thank you Europe. And thank you in particular Max Schrems, who I'm sure we'll talk about, you know, who's—

Michael Koenig: Oh, Max Schrems.

Flick Fisher: The Austrian privacy activist who's bringing down all the US data transfer mechanisms. Yeah. So we owe him a fruit basket.

Michael Koenig: Well, the nice thing about that word of mouth then is is that you all don't need to hop on TikTok or anything like that.

Flick Fisher: So count yourselves lucky. We're just on YouTube.

Michael Koenig: On YouTube. All right, perfect, perfect. So you mentioned MaxRams and you mentioned the, the gift of GDPR. To start with, can you give us the high-level 30-second elevator pitch of what GDPR is?

Flick Fisher: Yeah, so GDPR is the General Data Protection Regulation, and it is the main privacy regulation in Europe. It's a piece of regulation that binds all of the now 27 member states of the European Union, which means that every single one of those member states has to comply with the requirements of the GDPR. And it's reflected, you know, in each of those countries. So it sets out a number of key principles that you have to follow when processing personal data. So it's a regulation that regulates the processing of personal data and it has an extremely broad jurisdictional scope. So it doesn't just impact companies who are in Europe. It also can reach out and regulate companies who are offering their services in Europe or actively monitoring people in Europe. So it's, you know, deliberately broad in scope.

Michael Koenig: Now, the legal system and regulations, as you mentioned earlier, tend to move quite slowly in general, right? But GDPR seems to be moving at the speed of, I mean, an early-stage startup almost, with new rulings coming out every day. Why is that? Why is this going so quickly right now?

Flick Fisher: Yeah, well, I think— so the GDPR came into effect in 2018, and it was almost like a revolutionary change in the European privacy regime because, as I mentioned, the old data protection directive had existed since the early '90s. So it was a kind of radical change and it brought with it this big kind of kicker, which is if you don't comply, we could potentially fine you up to 4% of your global turnover. So it came with some teeth in terms of the, you know, the fines that could be issued. But as a piece of legislation, it's a principle-based piece of legislation, which frustrates people because they want to regard it like a, you know, ISO 27001. What are the controls we have to implement? So because it's because it's a little bit ambiguous often, sometimes in what is required. We've been dependent on guidance to be issued and case law to emerge, and that has kind of been coming. We're now at a point where that's starting to emerge at pace. And so that's why it feels like there's lots of changes happening since that law has come into effect in 2018, because we're starting to get more clarity around how we should interpret and apply some of those principles. And then there has been particular regulatory focus on this issue of transfers of European data out to countries like the US. And because that has received a ton of regulatory focus, we've seen, you know, a tumbleweed almost effect of kind of different regulatory decisions coming out in the last year. It all starts to feel like it's kind of changing at great pace, but actually what's happening is we're just getting lots of enforcement of the key principles guidance, which is having to mean that we adapt and kind of better understand how all the expectations around how the GDPR should be applied. Where it's going and getting crazy at the moment is over this issue of data transfers and in particular data transfers to US cloud platforms or services. That has been and give— been given a huge amount of regulatory focus. Largely because of our friend Max Schrems, who I mentioned before. So he's almost become the biggest celebrity figure in privacy in the last couple of years. He is an Austrian privacy activist who actually got inspired to start to bring a number of actions against, in particular, Facebook. Facebook's been the target of his kind of privacy activism, along with other kind of big tech companies out here in the US. But he was himself out here, I think, listening to some lectures in, I think it was Santa Clara University. Anyway, he was out here listening to some lectures from somebody from Facebook and he got inspired to think, oh my goodness, I need to bring this company down because I don't think what they're doing complies with our fundamental human rights in Europe. So he has been on a mission since then to kind of bring actions to kind of pinpoint particular issues which he's upset about, one being the fact that that US companies who are subject to the US foreign surveillance laws can gain access to information about European residents and citizens without having clear redress for those individuals to fight back or understand or have any transparency around how the US government is accessing their data. And so for the last few years, that's why we've seen a number of cases come out. So, you know, in 20— if we want to go back to 2020, Max Schrems brought a case against Facebook, which invalidated the Privacy Shield because of those concerns over US surveillance laws and the fact that the Privacy Shield as a self-certification scheme didn't properly guarantee that European data would be protected. And so it's kind of escalated from there. And then off the back of that, we've seen Schrems then, you know, further take Facebook to court. He went through the Irish regulator, who is their main regulator in Europe and has continued to launch his attack on Facebook, principally to try and, I think, reach the endpoint that he wants the regulators to say that Facebook can't transfer data out to the US. So that seems to be his mission at the moment. He also gathered over 100 complaints against various different websites and other things in Europe hit all the regulators in Europe with these complaints and now they've been forced to investigate them. So he's been pretty active in kind of really going against, in particular, US tech.

Michael Koenig: I wonder if you could tell us a little bit more about the Privacy Shield that was invalidated. Can you tell us what is that? Because unless you're really immersed in it, you may not know what Privacy Shield is.

Flick Fisher: So, the Privacy Shield was a self-certification scheme run by the Department of Commerce. And it was a self-certification scheme that had the US Department of Commerce and the European Commission had worked together to kind of approve. And when we say approve, basically the Department of Commerce had kind of agreed with the European Commission that US companies could use this self-certification scheme. Signing up to and complying with the Privacy Shield requirements, US companies could use the Privacy Shield and their certification status to lawfully receive European data for processing in the US. So, you know, thousands of US companies frantically signed up to the Privacy Shield because it offered a really convenient way to, you know, receive data in the US. The problem was that that Privacy Shield Privacy Shield, you know, process and certification scheme had to be approved on a kind of annual basis or reviewed on an annual basis. And, you know, as in going through these annual reviews, there were certain deficiencies identified in the Privacy Shield, principally again around the fact that it was felt that it didn't ensure enough protections for European data, protections against the US government accessing the data through its foreign surveillance tools like FISA 702. And again, that there wasn't sufficient redress mechanisms for people in Europe to kind of challenge that access. And Max Schrems picked up on all of these points and, you know, brought a case using Facebook's use of the Privacy Shield through to the highest courts in Europe who said and agreed, "Hey, we don't think the Privacy Shield does offer a sufficient protection for European individuals' data. So they invalidated it back in 2020. It was a huge decision overnight. You know, all those companies that were paying their certification fee could no longer rely on the Privacy Shield to lawfully receive data. And instead they had to pivot and decide what other mechanisms they could rely on. And for most companies, that meant pivoting to using something called the Standard Contractual Clauses. And the Standard Contractual Clauses are a kind of pre-approved set of terms that the European Commission has drafted and approved. They're a template set of privacy commitments or contract terms that data importers can sign up to. And if they agree to comply with those terms and sign up to the Standard Contractual Clauses with data exporters in Europe,, then that is another mechanism that they could have relied upon. But it meant a huge amount of, you know, shifting to put those mechanisms in place. And then the real issue was that although the European Court said the standard contractual clauses are a valid transfer mechanism, they said that you cannot just rely on the standard contractual clauses alone and you should also be doing a case-by-case analysis of the transfer to check that, you know, you can actually offer the right levels of protection when you're processing it in the US, taking into account again, you know, are you subject to those foreign surveillance laws? What kind of encryption are you applying to the data? And so they kind of said, yeah, you can't just sign those standard contractual clauses. You've also got to do something called a Transfer Impact Assessment and test that you're able to offer the right levels of protection. So the requirements just got more and more onerous based basically as a result of this dramatic case that appeared out of 2020. And it kind of followed that the European guidance got stricter. And we're now at a point where if you are looking to transfer personal data in the clear, i.e., in an unencrypted form for processing in the US, it's gonna be very, very difficult to do that in compliance with the regulator's kind of expectations.

Michael Koenig: And so to just put this in a practical sense for some of the folks listening, one of the challenges that this type of, this type of regulation on transferring data outside of the EU from an operational perspective is that it makes it difficult for US companies to actually provide like technical support to European customers unless you have technical support reps in the EU, right? Because think about it, we're currently using something called SquadCast to record this. Say we had an issue and say we were both in the EU and we wanted to have SquadCast troubleshoot it. They wouldn't be able to transmit that data out to a support rep in the United States because of these types of regulations. Have I Characterize that correctly?

Flick Fisher: Yeah, and it's not— just to be clear, I mean, the GDPR itself doesn't ban data being transferred to the US. It is not written into the law. But as a result of this big decision that came out in 2020 and because of the emerging regulatory guidance, we're now at a point where, as I mentioned, and you're absolutely right, if you want to eyeball European personal data in the clear, in the US or any other country that isn't covered by what we call an adequacy decision, then yes, that's going to be challengeable by the regulators and they could, you know, come and tell you, nope, you're not supposed to be processing it in the clear. That's not, you know, you're not offering the right levels of protection for it given your exposure to the US surveillance laws. So yeah, operationally, if you were to follow some of these requirements, it's really forcing people to, you know, certainly European customers of your average US SaaS platform to reconsider, do we need to use local service providers who can offer entirely European-based support and hosting? And there are huge downsides to that, you know, in terms of, you know, how do you do follow-the-sun support if you've just got to keep everyone based in Europe? It's not practical. It doesn't reflect the way that SaaS services need to, you know, be supported, the agile development that needs to happen, which is leveraging engineering teams around the world. So this focus on borders and keeping data in Europe kind of runs counter to the way that technology services are provided.

Michael Koenig: Right. That makes sense. And thanks for clarifying. In terms of the rate that GDPR is developing, Now we're talking about data not leaving necessarily. So, so you're storing data within data centers that are located within the EU, which AWS and Google Cloud and Microsoft have now started doing. But even that, I mean, this is non-trivial. Now we're adding another layer and another requirement And at the rate that GDPR is developing, smaller companies really have a tough time to actually comply with GDPR and probably don't even realize what they have to do. And so you kind of get caught off guard. And I talk with a lot of different companies and some are saying, listen, we have to make a strategic retreat from the EU because quite frankly, this is becoming too onerous for us. I mean, so we could see that. Like, what do you think happens in that case? Do regulators even care?

Flick Fisher: You know, I think you're right. Like, if, you know, if I was a startup company looking at the type of requirements that I've now got to potentially have to meet to, you know, make my business something I can offer to European customers if I'm a US platform trying to offer my services, I'm going to think, I just can't, you know, those are requirements that I can't meet. And do I want to risk, you know, take some of those risks on? I think one thing I would say is all of the regulatory focus at the moment, or the principal regulatory focus, leaving Facebook aside, has been on the data exporters. So the customers of some of these US SaaS platforms. And we've not seen any like crazy big fines yet issued against those data exporters. A lot of these decisions are kind of like, you need to take these steps, you know, stop using this particular service provider, whether it's Klaviyo or Google Analytics and others have been the subject of some of these decisions. So I don't think we're, I don't think we're at a point where if you're a US startup trying to expand your services, I don't think we're at a point where the risk of those issues affecting their potential customers is enough to stop you trying to expand into the European market. It's still a huge market. It's still a lucrative market. There's still an appetite in Europe for the provision of these services. There are still not enough European hosted and delivered services to compete with the US market at the moment. And I think we, like everybody, and we're talking about not just the smaller organizations, but Facebook and Google, they're all desperate for a political intervention here to help kind of moderate some of the approach at the moment. So I think to some extent it's kind of like, Do what you can to avoid unnecessary risks. There are some small things that you can be doing to try and build up the basic hygiene compliance that you're going to have to have in place. But unless a regulator comes and gets you, and they're unlikely to go against you if you're a small startup in the US, I think they're more likely to go against your potential customers. I think you've kind of got to carry on and just the reward in terms of potential business is probably still there.

Michael Koenig: So it's very interesting. You mentioned political intervention. I mean, how does this get resolved for US companies? And is it going to take— what's it going to take for EU regulators to really get comfortable with data getting transmitted outside of the EU to the US?

Flick Fisher: Yeah, well, one of the things that people are desperate for is effectively an agreement on Privacy Shield 2.0. Seen announcements from Meta, you know, kind of saying, look, if you guys can't agree a political solution in the form of Privacy Shield 2.0, we might have to withdraw from Europe. And, you know, they have the clout to be able to make those kind of public statements. And they're not saying they want to withdraw from Europe. They're saying, please come and help us with some kind of mechanism that we can rely on here because we're just using the tools that have been given to us by, you know, the European Commission and others. So, and I think there is great hope that that Privacy Shield 2.0 may, you know, we may see some progress on that political agreement over the next year. In March last year, we had statements from European Commission and the Department of Commerce saying they were absolutely working hard and committed to trying to reach an agreement on that new Privacy Shield. There is a meeting happening in May this year where we're hoping to see a bit more of an update on how those negotiations are going. I think that's going to be pretty crucial, is if they could get some agreement. Privacy Shield 2.0. But we'll wait and see what happens. Beyond that, I don't think we're going to see any change in the US law or them trying to kind of minimize the scope of their surveillance laws. I just don't think there's any appetite there for that kind of regulatory change in the US. So, you know, it's tough to know what political intervention will help here. I think it's all going to hang on that Privacy Shield 2.0 and trying to get some agreement on that.

Michael Koenig: I feel like we could buy and sell tickets for that meeting and we'd get a packed house. So you mentioned Meta. Let's talk about Meta. Just a couple of days ago— or Facebook— just a couple of days ago, the Irish Data Protection Commission made a preliminary decision to potentially suspend Meta's ability to transmit data outside of the EU to the US. So if they do suspend Meta's ability, what sort of downstream effects can other companies expect from this?

Flick Fisher: Yeah, I mean, so the Irish regulator has been very, very clear that if, you know, if the data flows are suspended for Facebook, it would be a decision that's very specific to Facebook's compliance. And they've been very clear that, you know, the decision has been made on a case-by-case review of the specifics of Facebook's compliance regime. And so it shouldn't be treated as meaning that European to US transfers have been cancelled or are somehow prohibited. So again, it is very much focused on what Facebook has been doing to implement a data transfer strategy. But of course, core to Facebook's data transfer strategy is reliance on the standard contractual clauses. And so if they end up, you know, as is hinted at in this decision where they've kind of said, you know, Facebook's current transfer mechanisms can't in practice be used was the initial decision that came out. Which we're kind of expecting to see whether that gets finalized in the next few months, it is going to have a ripple effect because of course, you know, if the rationale for Facebook not being able to use the standard contractual clauses and, you know, not having shown enough adequacy in terms of the measures that they do to protect European data, I'm sure it's going to have, you know, there'll be very similar parallels to other US companies or international companies who have been applying and relying on very similar measures to transfer data out. So it could be pretty catastrophic in terms of creating a huge unease in the market in Europe. Customers might be, you know, increasingly reluctant given, you know, the decisions that are coming out. But I think we have to keep in mind it's going to be very much focused on Facebook's compliance and not spell an absolute, you know, prohibition on transfers to the US. Sure.

Michael Koenig: And let's put this also in the context of what this means if Facebook does leave the EU. It's not, we're not talking about sharing family pictures of our kids and our pets. This is a lot of businesses that rely on Facebook. I mean, think back to when Facebook went down and all of the lost business that these local shops or even some of the larger ones, think about that impact. So yeah, people could say, well, I don't use Facebook anyways, but that's just in a personal setting. That's not necessarily in a business setting.

Flick Fisher: Yeah, I mean, their ad products are a critical part of many people's advertising and marketing strategy. And I mean, there's many businesses that are fully integrated with that Facebook ad services and who generate revenue from those integrations. So yeah, I mean, there's a bigger piece here beyond the consumer side of Facebook, really where the bigger play there for Facebook is all around its kind of advertising products. And services. And as I say, it's a sort of feeding ground for lots of other businesses that hang off that. Yeah.

Michael Koenig: And if you think about the local restaurants, right, those local businesses, they don't necessarily have websites. Facebook, their Facebook page is their website. Orders are placed through the website, like all of these different things. So it's not even just the ad products. Now, one thing that is interesting here that I want to dive into is we were talking about Irish regulators here.. And even though the main GDPR laws are done at the European Union level, we're seeing more and more individual countries develop their own regulations on top of GDPR. And so I used the, the Irish example, but just last month we had that Austrian ruling which said the use of Google Analytics, which is the standard website analytics tool, violates GDPR. And I mean, now we're talking about something that is used by 30 million websites around the world. I don't know how many of those are in the EU, but can you give us some insight into how these various country-level regulatory bodies work?

Flick Fisher: Yeah, so I mentioned that the GDPR is what we call an omnibus regulation, which means it applies automatically across those 27 member states without them having to to implement it into their national law. So it applies, it's a regulation that binds everybody. However, there are over 50 provisions in the GDPR that allow for certain local laws to, you know, expand on or introduce their own specific requirements around how data should be processed. So even though we've got this one kind of size-fits-all law, you do end up with some local nuances that have to be kind of recognized. In addition, each of the regulators effectively has the power to, you know, bring actions on behalf of its data subjects. And then depending on who— if you're a company who's doing business in Europe across multiple different member states, then you usually are able to identify what we call the lead supervisory authority, which would be your kind of point regulator that you go to. They're essentially going to be regulating you as a company, and then they have, you know, if there's ever an issue, it'd be that regulator who, in collaboration with all the other interested regulators, i.e., because there's data subjects affected in other member states, would work together to come to a decision or to investigate the issue. So although, you know, there's usually one point regulator for a particular issue, like the Irish DPC is Facebook's lead regulator, so it's been, you know, investigating and bringing these actions,. In reality, what happens is they then have to go and work with all of the other affected member states and the regulators in those countries to kind of come to a decision. So at the moment, the Irish DPC, the Irish regulator, has come and issued— indicated it's issued a preliminary decision about its opinion on Facebook's data transfers. That's now got to go to the other member states through the European Data Protection Board for them to kind of approve that decision. And so you kind of see that the regulators end up having to almost work together in some of these cases to come up with a decision. That hasn't happened with some of these, like the Google Analytics Austrian decision. That was a decision taken exclusively by the Austrian regulator. And in fact, interestingly, some of the regulators came out, I think the Danish had come out afterwards and said, almost hinted that, you know, they went and made a decision without kind of thought for other regulatory opinion on this and may have almost kind of boxed other regulators into having to take a pretty conservative stance on issues like transferring data to Google Analytics. But yeah, it's an interesting one.

Michael Koenig: It's also interesting because with some of this, some of what the Irish Data Protection Commission has also been looking at now are, I think it's with the Data Act, would regulate non-personal data. Can you provide some insight into what that looks like? So now we're not even talking about your email address or my email address?

Flick Fisher: Yeah, it's a really good question. So yeah, we all kind of are very hyper-focused on the GDPR, but actually there are some other data protection laws in Europe and there are some emerging data protection regulations that's coming down the pipeline as well. You mentioned the Data Act and some of those other laws and kind of regulate just data. And one example is what we call the ePrivacy Directive. Directive. And the ePrivacy Directive regulates things like marketing or tracking through cookies and some of the telecommunication service providers out there. And if you look at, for example, the, what we call the cookie laws, they apply and don't care whether or not you're collecting personal data through that tracking. They just care about— the law is just focused on, are you able to gain access to information stored on someone's device?. And if you can get information stored on someone's device, then you are subject to the Privacy Directive. And that requires that you ask for consent to do that and you provide notice. And that's obviously most famously seen in lots of those cookie banners that appear when you go to European websites. But it regulates any kind of tracking, whether in an app, through an SDK, or web beacons, pixels, anything like that that's used to get information from someone's device. Doesn't matter if you're a controller, processor, whether or not it's personal data or not, it's all about that access to that information.

Michael Koenig: So Germany has kind of developed this reputation of being the most strict when it comes to not only privacy implementation but also enforcement of it. For the companies out there that are thinking, okay, we really, we've reached that point We've hit our whatever the milestone is, product market fit, things like that. And oh, now we really need to start looking at guarding our flank with GDPR. Is it safe for companies to just say, well, let's just design for German regulations? And if we do that, it's kind of the gold standard and we'll be cool. Is that a good line of thinking or is this flawed?

Flick Fisher: No, I mean, it's a very interesting question. So I think again, because Germany, you know, at a high level has got the same requirements. It should be applying the same requirements because, you know, the GDPR applies in Germany as much as it does in France or Spain. The problem is that again, it's this kind of the local interpretation through their guidance is often where we start to see like different kind of approaches. And then the appetite for enforcement is also quite different across different member states. So Germany has 16 regulators. It's nuts. And so, you know, they're pretty well tooled over there to start bringing action if necessary. And they've also got a particularly strong sense of privacy being a really big human right over there for a number of historical reasons. So that combined means there tends to be a more conservative approach to enforcement over there. That's all to say that I don't think you should ever be If you're trying to build out a privacy program that complies with the European requirements, I think there's no point in designing it to the strictest German requirements because— or to comply with their very, very conservative guidance because it would not be particularly market. And sometimes that guidance is just guidance. It's not legally binding. And you'd be left with a very, very restrained or restricted product, I think, if you're heavily reliant on data collection and use. But what I do think is if your key market is Germany and you're trying to target very heavily regulated industries like healthcare or fintech, then you might need to design a little bit more to comply with those specific German requirements. And the same principles would apply if you're trying to do business in Spain and that's a big market for you. There are some industries where you can't ignore the local regulation because you're in a more heavily regulated sector. But if you're just designing for GDPR, I don't see a need to go and be, you know, "Right, we're going to do it to the strictest German requirements." What you've just said in terms of designing for GDPR, companies are used to, especially in early days, designing for their customers.

Michael Koenig: How do companies have to think about GDPR compliance operationally, one, but also technically, two, as they not only develop their front-end user-facing product but also their back-end? Operations. How do we do that?

Flick Fisher: Yeah, I mean, so there are some key things that you're always, you know, from an operational perspective, you're going to have to comply, comply with because we know how the GDPR principles are supposed to work in practice. So, but just taking a step back, one of the things that you always have to first of all assess before you start to think about what do I need to do to design for the GDPR is to figure out when you're acting as a data you're acting as a data processor. Those are two really core concepts in the GDPR, and depending on what role you're performing will really determine the scope of your compliance obligations. So if you are just acting as a processor, a service provider that's only processing data to provide a service to a customer under their instructions, you're going to have a much more limited set of compliance obligations.. And your primary obligation is to agree to a set of contractual obligations with the customer and to keep the data secure. So that's going to inform how you operationalize your privacy because you're really going to be focused on, well, make sure I stay in my processor lane, that I have good hygiene with my vendors, but I don't need to worry about things like, you know, transparency or getting consent for data processing because that's all something a controller has to worry about. So it'll very much dictate like the scope of your compliance that you have to have in place, getting an understanding of the actual role that you're playing. Controllers bear the bulk of the compliance obligations. It's going to involve a much longer list of things that you're going to have to do to comply. It's going to involve window dressing in the form of privacy policies. There's going to be engineering aspects, you know, making sure you can comply with deletion and access requests and things like that. So there is a bit of a strategic upfront front. Let's just take a level set, figure out what our role is, what data we're processing, and then we can operationalize on the requirements that will apply to us.

Michael Koenig: Right. So you, you defined a processor. Just to back up here, can you also define a controller for us? What, what does that mean?

Flick Fisher: Yeah, so a controller is really the entity that's making key decisions over how and why data is processed. So a controller is the only— is able to decide things like, well, why, why will the data be processed? For what purposes? Who am I going to be sharing the data with? How long should the data be retained for? So they have full autonomy and decision-making powers over the data. And that's to be distinguished from a processor who's literally only ever allowed to provide, to process that particular dataset on behalf of the controller, which is usually their customer. So that means, okay, we provide this service to you. We're going to tell you how it works, customer. And we will only process that data to provide that service back to you. We won't go and use it to, you know, do our product development or marketing because as soon as we start doing that, then we will become a controller. So the reality of it is that most people are wearing two hats. So they will sometimes be a processor for certain processing use cases and they'll sometimes be a controller. And it all really hinges on how much autonomy you really you have to, to process the data. So your typical SaaS platform, again, customer data is usually sacrosanct. You just agree to be a processor of it. But you may be collecting other data like usage data. How are people clicking and what are the rage clicks in my service? You know, and you might be using Google Analytics to do that typically. Like, how are people using the services? What features? How long are they staying on pages? Where are we seeing the troubleshooting issues? You would usually be a controller of that data and have a separate list of obligations that apply to you.

Michael Koenig: It's so interesting now because we need to not only think about how is our service going to be used, how are we going to make money, how are we going to do X, Y, and

Flick Fisher: Yeah. And I guess for CEOs, a lot of, you know, they're going to be particularly interested also in the HR piece where you're definitely going to be a controller of that data. So just to put that piece in there to keep everyone aware of that. So this is where I'm going to plug the Phil Fisher resources because we spend a lot of time pushing. We have a fantastic privacy blog. We have a webinar series. You can go to our YouTube channel. The Fieldfisher Silicon Valley YouTube channel, and you can find tons of free webinars that we've run on various different topics. If you are interested in us doing a webinar on a particular topic that would be of interest, anybody's welcome to reach out to me. I always love to get ideas about what we can do to deliver information that's meaningful to people. And then, of course, if you're looking to understand regulatory guidance, then you need to go to something the European Data Protection Board, which is basically the body which is made up of representatives of different regulators, and they issue guidance about how to comply with the GDPR. So there's a ton of guidance on their sites. Not so easy to digest if you're not so familiar with privacy requirements, but that, that's where you can find lots of guidance. I think the UK, although we Brexited, we still publish some of the best GDPR guidance out there. We're still subject to the UK GDPR, which is a complete replica of the GDPR. So that's got some fantastic, really user-friendly privacy resources that you can kind of lean on.

Michael Koenig: Yeah, I'm glad you knocked that softball question out of the park there. But it's so important for companies to start to actually pay attention to this because as you mentioned much earlier on, there are other countries outside of the UK, outside of the EU and entities that are looking and adopting. I mean, we look at South Africa, we look at India, the Philippines, Brazil. All of these countries are now starting to adopt similar data protection.

Flick Fisher: We've inspired other countries to do copycat GDPR-like laws. So yeah, I mean, it's becoming— we're kind of reaching a point where, you know, most countries have got some level of privacy law, which didn't used to be the case. Case, you know, not too long ago. But now we've got, you know, as you mentioned, and this year we're about to see enormous updates to Indian data protection law. The Chinese have just updated their data protection law. And there are lots of, it's kind of like the same but different requirements all over the place. So trying to pull that together and build a global privacy program is getting increasingly challenging because of all these different patchwork of requirements. But I still think it remains the case that because the GDPR is kind of the gold standard of privacy requirements, if you've based your privacy program on that, I think it will put you in good stead. But of course, you always still need to think about some local nuances and requirements that might apply. But it still remains a very solid baseline privacy compliance to kind of achieve.

Michael Koenig: Yeah. And for those listeners who are saying, oh, we're cool, we don't do business outside of the US, well, guess what? You have CCPA in California. You've got Colorado, Illinois, Virginia, all these, all these states are introducing different privacy laws. Hopefully the federal government does, you know, I can't believe I'm saying this, but does step in and create some sort of regulation so that we at least here in the United States don't have to try and comply with 50 different privacy regulations. So anyways, I digress. Clearly, yeah, this is keeping me up at night. So Flick, GDPR aside, it's time for my last and favorite question, and I suspect that you're going to have some difficulty answering it because of attorney-client client privilege. We've all had those moments though, where a new problem comes up and we've thought, "Well, never thought I'd see that." Do you have one that comes to mind that you can share with us? And if the answer is nope, totally understand.

Flick Fisher: Oh my goodness. Things that I've been really surprised about. I mean, I guess, and this, I really couldn't go into too many details, but obviously one, a big part of our practice is dealing with security breaches. And not to get too political, but obviously we're in with the Ukrainian situation and the enormous threat of cybercrime that is coming off the back of that awful situation there. And we've seen the weaponization of cybercrime by the Russians. I've had some interesting discussions in the last few weeks with some of our clients over some of those issues. So we get to see some very interesting things and sometimes slightly scary things that are happening. And it's part of our practice to help people navigate that and find ways to address their legal obligations that apply when you've got some of those big cyber risks. But yeah, that's definitely— and I will say, we do act for some of the kind of dating apps out there, and we've seen some interesting things through that as well.

Michael Koenig: I'd imagine so. I'd imagine so. Well, thanks for sharing. And also a good reminder to everyone, make sure you have like a cyber—

Flick Fisher: Yeah, massively important.

Michael Koenig: Yeah, a cyber insurance policy here because that's something that you don't want to get caught with. Well, Flick, thanks so much for coming on the show and really just dropping a lot of knowledge on us. Where can people go to keep up with you?

Flick Fisher: So, again, you can catch me on LinkedIn where I can regularly post things. And I'll also, if you're interested in our webinars, I'll always post it on LinkedIn so everybody can sign up from there. So, yeah, you can find me on LinkedIn. It's probably the easiest way to get me or subscribe to our YouTube channel.